The Verizon 2016 Data Breach Investigations Report (DBIR) again highlights phishing as a successful attack vector with 30% of people opening phishing e-mails and 13% opening attachments, often within the first couple of minutes.  Here at Cyber Safe Workforce, we recently revised how we educate users about phishing.  Below is a highlight from our course–use it to talk to your employees!

Phishing Detection: Expected vs. Unexpected E-mail

When you receive an e-mail that requires action (opening an attachment, clicking a link/button, calling a phone number, or replying with information), ask yourself whether it was expected or not.  Expected e-mails follow a narrow definition:

• A recent action (outside of e-mail) caused an e-mail to be sent. For example:
  • An order confirmation after placing an online order.
  • Slides from the morning meeting arrive after the meeting concludes.
• A weekly subscription newsletter appears at the same day and time in its standard content and format.

Expected e-mails are LOW risk, and it is generally safe to proceed.

By contrast, these are UNEXPECTED e-mails.

• Days after ordering something online, an e-mail arrives and states shipping has been delayed.
• A friend who occasionally shares video links (at random times) sent one today.
• An e-mail from your bank indicates potential fraudulent activity involving your account.
• A co-worker requests information that he has not requested in the past.

Unexpected e-mails, where content seems unusual for the sender or involves sensitive information, are HIGH risk.

Notice above that although some e-mails are related to past legitimate actions, they still bear some risk because they are unexpected and could be phishing scams.

Unexpected e-mails need to trigger a “pause and inspect” (rather than a “click and continue”) reaction, which is why it’s important to define “expected” in precise terms.

When the sender is familiar (by the name or brand’s logo), people often assume it is safe to act upon.  Phishing e-mails count on this assumption!

When an expected e-mail is defined specifically as routine or as a result of a recent action, even e-mail from a familiar sender will elicit the “pause and inspect” reaction.

Try this exercise:

Go into your inbox and evaluate any three e-mails.  Was the email expected (as defined above)?  Why?  Was it the next iteration of a weekly newsletter, arriving at the usual time and with the usual format and content?  Was it related to a recent phone call or in-person conversation?

It’s great to have users evaluate their own inboxes because they can apply the “expected versus unexpected” construct in real life, rather than hypothetically. Once they begin to look at e-mails with an “unexpected filter,” additional phishing detection techniques, such as sender address and embedded link inspection, can be taught.